CHRISTIANSBURG, Va. Tuesday, April 2, 2019 – FoxGuard Solutions, Inc, as an active member of the NERC CIPC Supply Chain Working Group, was part of the discussions involving NERC CIP-010 and CIP-013 regulations that become enforceable this year. On July 1, 2020, a new regulation added with a heavy focus on supply chain risk management – NERC CIP 013-1. Additionally, there are new requirements included in NERC CIP 010-4 (R1.6), which requires verifying the authenticity and integrity of the vendor or third party software. NERC CIP 013-1 also involves verification of software authenticity and integrity (R1.2.5), a plan to deal with vendor vulnerability and incident disclosures (R1.2.1, 1.2.2, and R1.2.4), and policies in place for when a vendor notifies you that they no longer need remote or on-site access (R1.2.3).
FoxGuard is an ISO 9001:2015 and ISO 27001:2013 certified business that has been providing products and services to the electric utility market for nearly 30 years and has always focused on ensuring security measures are in place to protect our customers. We’ve been planning and preparing for more rigorous Supply Chain Requirements for years. Some examples of product line controls are already in place on our Patch Availability Reporting (PAR), and Patch Binary Acquisition (PBA) service offerings include:
• Documentation of hash values for patch files when provided by your vendor (PAR)
• Verification that downloaded patch binaries match the vendor-provided hash value (PBA)
• Integrated authenticity and integrity verification capabilities provided with digital deliverables to our customers using signed hash digests (PAR, PBA)
• Patch evidence (screenshots, logs) of patch data captured (PAR)
• Secure transfer of patch binary files using AES-256 encrypted removable media devices (PBA)
• Tamper evident packaging for physical shipments (PBA)
We are also working on a few new features to our Patch Availability Reporting and Patch Binary Acquisition service offerings to address the latest NERC CIP requirements:
• PAR – FoxGuard will be adding support to document authenticity controls each vendor has in place associated with the access to patch data
• PBA – FoxGuard will be adding support to document authenticity and integrity controls each vendor has in place related to the acquisition of each patch binary
These new features will be available to customers as part of the monthly PAR / PBA deliverable. Supporting evidence of the authenticity and integrity verification process will also be captured each month and can be made available to customers as requested to support regulatory audit needs.
About FoxGuard Solutions, Inc.
FoxGuard Solutions develops custom cybersecurity, compliance and industrial computing solutions. FoxGuard provides reliable, secure and configurable patch management reporting services, which include availability reporting and applicability analysis for information technology (IT) and operational technology (OT) assets used in critical infrastructure environments. Visit foxguardsolutions.com to learn more.